Mbachan Fabrice Tanwan 
Innopolis University 
Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook’s GraphQL technology, to learn and practice GraphQL Security.You can get the codes from SNE-M23-SN Credit Goes to Dolev Farhi where we forked the repo.
Damn Vulnerable GraphQL is a purposely weak and insecure implementation of GraphQL that provides a safe environment for attacking GraphQL applications and testing for vulnerabilities.
To obtain a thorough grasp of the vulnerabilities you’re working with and properly exploit them, you’ll need a set of specific tools. Here’s a list of key tools you’ll need.
Docker
Docker is a platform that has gained wide acceptance for containerization. It greatly simplifies the process of managing and deploying applications in containers, making it a vital tool for any developer.

Burp Suite
Burp Suite is a formidable tool in the realm of web application security testing. It offers a wide array of features, suitable for both manual and automated testing. It plays a vital role in intercepting and analyzing HTTP requests and responses, making it indispensable for security testing.

Postman
Postman has garnered popularity as a highly effective tool for testing APIs. It provides an intuitive user interface that allows you to easily send HTTP requests and closely examine the responses you receive. You have the option to use either the desktop application or the web version, depending on your preference.

Postman and Burp Suite are both popular tools used for API testing, but they serve different purposes:
Postman is primarily used for building, testing, and documenting APIs. It provides a user-friendly interface for creating API requests, managing environments, and collaborating with team members.
Burp Suite is a comprehensive web application security testing platform. While it can be used for API testing, its main focus is on identifying vulnerabilities in web applications, including those exposed through APIs.
Combining Postman and Burp Suite in this guide can be beneficial for the following reasons:
Postman can be used to create and execute API requests, while Burp Suite can intercept and analyze the traffic to identify potential security issues.
Burp Suite can be used to test APIs for vulnerabilities like injection flaws, broken authentication, and security misconfigurations, which are covered in the OWASP API Security Top 10.
Using both tools together provides a more comprehensive approach to API testing, leveraging the strengths of each tool.
Docker is chosen as the containerization tool in this guide for several reasons:
Docker is the most popular and widely-used containerization platform, with a large and active community.
Docker provides a consistent and reproducible environment for running applications, making it easier to set up and deploy the vAPI application.
Docker simplifies the management of dependencies and ensures that the application runs consistently across different environments.
In addition to Docker, this guide will also use Docker Compose to define and manage the multi-container application. Docker Compose allows you to define the services, networks, and volumes required for the application in a single configuration file, making it easier to set up and manage the environment.
The following Python3 libraries are required:
Clone the repository
git clone hhttps://github.com/SNE-M23-SN/Damn-Vulnerable-GraphQL-Application
Build the Docker image
docker build -t dvga .
Note: If you are using an ARM-based Mac, use the Dedicated Dockerfile.arm64 file:
docker build -t dvga -f Dockerfile.arm64 .
Create a container from the image
docker run -d -t -p 5013:5013 -e WEB_HOST=0.0.0.0 --name dvga dvga
In your browser, navigate to http://localhost:5013
Note: if you need the application to bind on a specific port (e.g. 8080), use -e WEB_PORT=8080.


See the Scenario section
To see how the various scenarios are compromised visit your app at http://localhost:5013/solutions assuming you are still working on port 5013
GraphQL, while offering flexibility and efficiency in API design, introduces several unique security challenges that must be addressed to protect applications and data. From reconnaissance and fingerprinting to a variety of injection and denial of service attacks, understanding these vulnerabilities is crucial for both developers and security professionals.
By being aware of these potential vulnerabilities and implementing strong security measures, developers can harness the power of GraphQL while maintaining a robust security posture. Regular security audits, continuous monitoring, and staying updated with the latest security practices will further enhance the resilience of GraphQL APIs against evolving threats.